Bug ID 459929: Policy rules can be evaluated in different order

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.4.0, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10

Fixed In:
11.6.0, 11.5.2

Opened: Apr 30, 2014
Severity: 4-Minor
Related Article:
K19551223

Symptoms

LTM Policy rule ordinal values for ensuring which rules are considered first, second, and so on, can evaluate in other than the configured order.

Impact

Unexpected policy actions might be invoked if an out-of-order rule matches the conditions.

Conditions

If the ordinal value associated with a policy rule is larger than 65536, then there is potential for rules to be evaluated in a different order than expected.

Workaround

Using the GUI, drag-and-drop rules into desired order, and the system saves the policy rules using within-range ordinals. Alternatively, edit the configuration to make all ordinals fall below 65536. You can do so manually, or by using a script similar to the following: perl -pe 's/000/0/ if (/ordinal\s+\d+/);' /config/bigip.conf > /config/bigip.conf.fixed. Important: Before executing a Perl script, make sure you are familiar with the kinds of changes the script generates.

Fix Information

Policy rules are now evaluated in the expected order.

Behavior Change